Port Knocking & Wireshark Packet Analysis | Moria Vulnhub CTF Walkthrough solution
We covered the solution walkthrough of Moria Vulnhub by analyzing Wireshark Pcap file to extract a series of ports which are used to perform port knocking. This was followed by web enumeration to extract password hashes eventually using JohnTheRipper to extract the plain text passwords that were used to login to the root account.
Description
Moria is NOT a beginner-oriented Boot2Root VM, it will | require good enum skills and a lot of persistence. VM has been tested on both VMware and VirtualBox, and gets its IP through DHCP, make sure you’re on the same network.
1. Initial Reconnaissance 🌐
I started by scanning the target machine using nmap with aggressive scan and OS detection flags. Command: nmap -A <target_IP>
I identified three open protocols: FTP, SSH, and HTTP. I checked the versions of VSFTPD and OpenSSH and found them not to be vulnerable. The Apache web service was outdated, but no immediate exploits were found in the exploit database for that specific version.
2. Web Server Enumeration
I then accessed the main website. Viewing the page source and checking the image for hidden strings or EXIF data didn’t reveal anything useful. My next step was to perform directory brute-forcing using a wordlist called big.txt. Conceptual command: dirb http://<target_IP> /path/to/big.txt or gobuster dir -u http://<target_IP> -w /path/to/big.txt
This led to the discovery of a specific directory. When I accessed this directory, I noticed messages that changed with each page reload, which immediately hinted at port knocking. Some of these messages included names like “Ori” and “Min.”
3. FTP Exploration & Port Knocking Discovery
I compiled the names found on the webpage into a wordlist and attempted to brute-force the FTP server (with the known username “parlog”) using this wordlist, but it was unsuccessful.
The changing messages on the webpage strongly suggested port knocking, but no port sequence was explicitly visible. The idea then was to listen for incoming connections from the vulnerable machine using tcpdump. Command: tcpdump -i eth0 dst <attacker_IP> and tcp (I replaced eth0 with my active interface).
As I interacted with the web page (causing it to reload and generate the changing messages), I observed a sequence of incoming packets from the vulnerable machine (Maria). This revealed a series of destination ports: 77, 101, 108, 108, 111, 110, 54, 57.
4. Port Knocking Attempt & ASCII Conversion
I used these discovered ports in a port knocking attempt. After knocking, I performed another nmap scan, but it only revealed two new filtered ports (9899, 9990 for FTPS), indicating the knock was not successful in opening a desired service.
At this point, I remembered a hint from the owner of the vulnerable machine about converting ASCII to decimal or vice-versa. I took the port sequence (77, 101, 108, 108, 111, 110, 54, 57) and converted each decimal number to its ASCII character equivalent. This resulted in the string “melon69”.
5. Successful FTP Login & Hash Discovery
I used “melon69” as the password for the FTP user “parlog,” and to my delight, the login was successful!
After navigating the FTP server, I found a file within the HTML directory. Accessing this file via the web browser revealed a list of usernames and their corresponding password hashes. The page source indicated these were MD5 hashes with a specific salt and algorithm (md5(password.salt)).
6. Cracking Hashes with John the Ripper
I saved the usernames, hashes, and the salt to a file. I then used John the Ripper to crack these hashes, specifying the format dynamic_6 (for md5(password.salt)). Conceptual command: john --format=dynamic_6 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
After some troubleshooting with John the Ripper’s cache and session management, the cracked passwords were successfully displayed.
7. SSH Access & Privilege Escalation
I tested the cracked credentials for SSH login. The username “re” and its cracked password “Spanky” successfully granted me SSH access.
Inside the “re” user’s home directory, specifically in the .ssh folder, I found a private RSA key (id_rsa) and a known_hosts file. My initial attempt to use this private key to SSH as root from my attacker machine failed because my IP was not in the known_hosts file on the vulnerable machine.
However, the known_hosts file on the vulnerable machine listed the local IP address (127.0.0.1). This was the crucial hint! It meant I could attempt a local SSH login as root using the private key directly from the compromised machine. Command (executed on the compromised machine as user “re”): ssh -i id_rsa root@127.0.0.1
This command did not prompt for a password, and I successfully obtained root access! This completed the Moria CTF challenge.
Post Comment